ACCORDING to Mandiant, North Korean threat actors are elevating their social engineering through AI-generated deepfakes paired with custom malware to target the cryptocurrency sector, with UNC1069 described as a financially motivated group active since 2018. The intrusion at a FinTech company reveals a shift from simple phishing to a full toolkit of AI-enabled lures and seven distinct malware families used in the operation.
The campaign began with a Telegram message from a seemingly trusted contact, followed by a Calendly invite for a video call and a Zoom meeting hosted on a spoofed domain, where a deepfake of a CEO appeared to the victim. Once inside, the attackers deployed backdoors including three new data-harvesting tools named SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
SILENCELIFT beacons host information to a C2 server and can interrupt Telegram communications, DEEPBREATH is a Swift data miner that can bypass macOS protections to steal credentials and data, and CHROMEPUSH is a malicious browser extension that records keystrokes and steals login data. The report highlights a broader trend of integrating generative AI into active operations, with financial losses reflecting the real impact of these tactics.